CVE-2026-59762 in BIG-IPinfo

Summary

by MITRE • 07/15/2026

When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization.  









Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote, unauthenticated attacker to cause a degradation of service that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only.





Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability resides within the F5 BIG-IP system's HTTP/2 profile implementation, specifically affecting the data plane processing of incoming requests. The flaw manifests when HTTP/2 profiles are configured on virtual servers, creating a condition where certain undisclosed request patterns trigger excessive memory consumption within the Traffic Management Microkernel (TMM) process. The vulnerability represents a classic resource exhaustion issue that can be exploited remotely without authentication, making it particularly dangerous in production environments where system stability and availability are paramount.

The technical mechanism behind this vulnerability involves improper handling of specific HTTP/2 frame sequences or request structures that cause the TMM process to allocate memory resources in an uncontrolled manner. When these particular requests are processed through the configured HTTP/2 profile, the memory allocation routines fail to properly manage or release allocated resources, leading to progressive memory consumption until system performance becomes severely degraded. This behavior aligns with CWE-401: Improper Release of Memory and follows patterns commonly seen in data plane DoS vulnerabilities where legitimate traffic processing leads to resource exhaustion.

The operational impact of this vulnerability extends beyond simple performance degradation to potentially complete system unavailability. As memory utilization increases, the TMM process experiences significant performance bottlenecks that can cascade into broader system instability. The need for either forced or manual restart of the TMM process indicates that the memory consumption reaches critical levels that cannot be recovered through normal system operations. This vulnerability directly maps to ATT&CK technique T1499.004: Network Denial of Service, specifically targeting the availability aspect of the CIA triad. The fact that this is a data plane issue without control plane exposure suggests that the attack surface is limited to network traffic processing rather than administrative interfaces, but still represents a significant threat to service availability.

Mitigation strategies should focus on immediate configuration changes and monitoring implementation. Organizations must first assess their current BIG-IP deployments to identify systems with HTTP/2 profiles configured on virtual servers, as these represent the vulnerable attack surface. Immediate remediation involves either disabling HTTP/2 profiles on affected virtual servers or applying F5's official security patches that address the specific memory handling flaw. Network monitoring should be enhanced to detect unusual memory consumption patterns in TMM processes, enabling proactive response before complete service degradation occurs. Additionally, implementing rate limiting and request filtering mechanisms can help reduce the impact of malicious requests while awaiting permanent patches. The vulnerability demonstrates the importance of proper resource management in high-performance network processing systems and highlights the need for comprehensive testing of protocol implementations against various traffic patterns to prevent similar issues in the future.

Responsible

F5

Reservation

07/08/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!